Security Management Strategies for the CIO
Email Alerts
-
Readers' Choice Awards 2011
null
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Web application attacks security guide: Preventing attacks and flaws
This Web application attacks guide explains how Web application attacks occur, identifies Web application attack types, and provides Web application security tools and tactics to protect against them. Learning Guide
-
Locking down your Web applications
In this primer, learn how dynamically created Web server content can present a risk to the server itself, and how good processes can improve the Web server security life cycle. Security School
-
Quiz: Could you detect an application attack?
Take this five-question quiz to test your application security awareness, review common application attacks and learn how to improve application layer logging to detect and protect against these attacks. Security Quiz
-
State-based attacks: Session management
In this excerpt from Chapter 4 of "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services," authors Mike Andrews and James A. Whittaker identify session management techniques Web developers should use to prote... Book Chapter
-
Content Spoofing
This excerpt from "Preventing Web Attacks with Apache" explains how content spoofing attacks exploit vulnerabilities and how to use Apache to protect against them. Book Chapter
-
Quiz: Web application threats and vulnerabilities
This quiz will help you determine how knowledgeable you are about securing your Web apps and whether you need to hone your Web security skills. Security Quiz
-
Gaining access using application and operating system attacks
In this excerpt from Chapter 7 of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, Second Edition, authors Ed Skoudis and Tom Liston explain how security professionals can use exploit frameworks to their advanta... Book Chapter
-
Controlling Web access with Apache
How to meet access control requirements with Apache and IIS Web servers. Book Chapter
- See More: Essential Knowledge on Web Application Security
-
HP study finds widespread custom Web application flaws
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws. News | 18 Apr 2012
-
Time to ban dangerous apps? Exploring third-party app security
Column: Third-party applications are notoriously hard to patch and often easy to exploit. Is it time to ban applications, or can they be secured with a new approach? News | 27 Jan 2012
-
Adobe repairs critical Reader, Acrobat flaws, adds JavaScript control
The January 2012 update includes repairs to Adobe Reader X and a new feature giving administrators the ability to whitelist JavaScript execution. News | 10 Jan 2012
-
Twitter acquires WhisperSystems mobile security technology
Twitter acquired WhisperSystems, a firm that makes mobile encryption and firewall technology for Android devices. News | 28 Nov 2011
-
Web application risks exacerbated by social media ties, says ISACA
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks. News | 26 Oct 2011
-
New Java 7 features improve security
New features in Java 7 aim at bolstering security by switching off weaker encryption schemes. News | 06 Sep 2011
-
Realities of dealing with Web app security flaws
If you have Web apps, odds are you have Web app vulnerabilities. In this interview, Mike Rothman discusses what to do about them. Video | 01 Sep 2011
-
Black Hat 2011: Money for secure application development proves elusive
For most security teams, it’s still a struggle to find money for secure application development, according to a panel of Black Hat 2011 experts. News | 04 Aug 2011
-
New GrayWolf tool sheds light on Microsoft .NET application security
Black Hat 2011: A free Microsoft .NET application security tool helps programmers reverse-engineer .NET applications to manipulate and control them. News | 04 Aug 2011
-
Automated attack toolkits single biggest threat to Web apps, report finds
Automated attack tools are targeting directory traversal bugs, cross-site scripting errors, SQL injection flaws and remote file inclusion vulnerabilities. News | 26 Jul 2011
- See More: News on Web Application Security
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
Enabling secure Web development means treating vulnerabilities as bugs
Gil Danieli explains why secure Web development depends on treating vulnerabilities like any other software bugs, and how to get Web developers to buy in. Tip
-
How to review your Web application security assessment tools, strategy
Expert Cory Scott offers pointers for using Web application security assessment tools and developing an application security assessment strategy. Tip
-
Addressing the dangers of JavaScript in the enterprise
The dangers of JavaScript are no secret to security professionals. Expert Michael Cobb discusses enterprise JavaScript defense technology and tactics. Tip
-
Understanding the value of an enterprise application-aware firewall
Today's enterprise application-aware firewall technology offers a host of features to manage application and Web 2.0 traffic. Expert Michael Cobb takes a look at the features and how to make the most of them. Tip
-
Netsparker: Free Web app security testing tool
Testing Web applications is critical for maintaining a secure enterprise network. Learn how to use the community version of Netsparker for free Web app security testing capabilities. Tip
-
Financials and the need for software regression testing
Attackers target financial-services websites, making it critical that financial firms include regression testing and version control in their software development practices. Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
Using unique device identification for bank website security
Almost everyone has been asked a password challenge question on a website. Learn how to prevent identity fraud with unique device identification. Tip
-
Black box and white box testing: Which is best?
There's no question that testing application security is essential for enterprises, but which is better: black box security testing or white box security testing? Learn more in this expert tip. Tip
- See More: Tips on Web Application Security
-
Inside the W3C Web security standards to prevent cross-site scripting
Expert Mike Cobb details the W3C Web security standards designed to foster a content security policy and help prevent cross-site scripting attacks. Answer
-
Improving Web application security with automated attack toolkits
It may seem counterintuitive, but you can safely use automated attack toolkits to improve your Web application security. Nick Lewis explains. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Open source testing tools for Web applications: Website vulnerability scanner and recon tools
Google’s open source testing tools for Web applications can save organizations money and improve the security of Web apps. Answer
-
Insufficient authorization: Hardening Web application authorization
Insufficient authorization errors can lead to Web app compromises and data loss. Learn how to fix these authorization errors. Answer
-
Microsoft security check: Is a Redmond Internet health check viable?
While it would be nice to check every computer for malware before allowing it on the Internet, expert Nick Lewis details why this is problematic. Answer
-
How an IIS Web application pool can help secure your enterprise
Did you know an IIS Web application pool not only helps manage your applications, but also makes them more secure? Expert Michael Cobb explains the benefits of Web application pools. Answer
-
Debug and test Web applications using Burp Proxy
The Burp Proxy tool, part of the Burp Suite, has many useful features that test Web application security. Learn how to start using Burp Proxy. Answer
-
Using a Web application honeypot to boost security for Web applications
Honeypots can be a valuable tool for logging and analyzing intrusions, but do you know the disadvantages to setting up a honeypot? Expert Michael Cobb explains some honeypot best practices. Answer
-
Using virtual test labs for virtual software testing
Do you know of virtualization that reduces your investment in hardware, space and general overhead? Virtual test labs can do just that. Expert Michael Cobb explains virtual software testing and how it can benefit your enterprise. Answer
- See More: Expert Advice on Web Application Security
-
Web application (Web app)
A Web application (Web app) is an application program that is stored on a remote server and delivered over the Internet through a browser interface. Definition
-
pen test (penetration testing)
Penetration testing (also called pen testing) is a tool for testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. (Continued) Definition
-
distributed denial-of-service attack (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Definition
-
National Computer Security Center (NCSC)
The National Computer Security Center (NCSC) is a U.S. government organization within the National Security Agency (NSA) that evaluates computing equipment for high security applications to ensure that facilities processing classified or other sensit... Definition
-
JavaScript hijacking
JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML)... (Continued) Definition
-
buffer overflow
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Definition
-
cookie poisoning
On the Web, cookie poisoning is the modification of a cookie (personal information in a Web user's computer) by an attacker to gain unauthorized information about the user for purposes such as identity theft. Definition
-
cache cramming
Cache cramming is a method of tricking a computer into running Java code it would not ordinarily run. Definition
-
LUHN formula (modulus 10)
The LUHN formula, also called modulus 10, is a simple algorithm used to validate the number on a credit card. Definition
-
anonymous Web surfing (Web anonymizer, SafeWeb)
Anonymous Web surfing allows a user to visit Web sites without allowing anyone to gather information about which sites the user visited. Definition
- See More: Definitions on Web Application Security
-
Screencast: Burp Suite tutorial highlights Burp Proxy, other key tools
In this screencast, Mike McLaughlin offers a short Burp Suite tutorial, including the key features of this powerful pen testing tool: Burp Proxy. Video
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Web application attacks: Types and countermeasures
Video: Matasano Security's Cory Scott covers Web application attack types and how they target different layers of an application. Video
-
Mike Rothman on handling Web application security vulnerabilities
If you have Web apps, odds are you have Web app vulnerabilities. In this interview, Mike Rothman discusses what to do about them. Video
-
Gartner’s Ramon Krikken on Web application security scanners
In this video, learn how to get the most out of Web application security scanners, and the four key elements for a successful implementation. Video
-
Noted cryptographer on SSL, encryption and cloud computing
Cryptographer, Taher Elgamal of Axway Inc., the inventor and initial driving force behind SSL, explains how applications may be better adapted to defend against attacks. Video
-
WASC Web Honeypot Project enters next phase
Ryan Barnett of Breach Security and leader of the WASC Honeypot Project talks about phase three of the project, which uses an open proxy server to analyze Web attack data. Video
-
PCI compliance requirement 6: Systems and applications
Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 6: "Develop and maintain secure systems and applications." Video
-
The future of exploit vulnerability research
At Information Security Decisions 2008, security researchers discuss the most vulnerable network points and the future of the SDLC (part 1 of 4). Video
-
Defending against Internet security threats and attacks
From buffer overflows to cross-site scripting, Web threats are many. Security researchers at Information Security Decisions 2008 discuss how to keep enterprises safe from these attacks (part 2 of 4). Video
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
Inside the W3C Web security standards to prevent cross-site scripting
Expert Mike Cobb details the W3C Web security standards designed to foster a content security policy and help prevent cross-site scripting attacks. Answer
-
Screencast: Burp Suite tutorial highlights Burp Proxy, other key tools
In this screencast, Mike McLaughlin offers a short Burp Suite tutorial, including the key features of this powerful pen testing tool: Burp Proxy. Video
-
HP study finds widespread custom Web application flaws
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws. News
-
Time to ban dangerous apps? Exploring third-party app security
Column: Third-party applications are notoriously hard to patch and often easy to exploit. Is it time to ban applications, or can they be secured with a new approach? News
-
Adobe repairs critical Reader, Acrobat flaws, adds JavaScript control
The January 2012 update includes repairs to Adobe Reader X and a new feature giving administrators the ability to whitelist JavaScript execution. News
-
Enabling secure Web development means treating vulnerabilities as bugs
Gil Danieli explains why secure Web development depends on treating vulnerabilities like any other software bugs, and how to get Web developers to buy in. Tip
-
Twitter acquires WhisperSystems mobile security technology
Twitter acquired WhisperSystems, a firm that makes mobile encryption and firewall technology for Android devices. News
-
How to review your Web application security assessment tools, strategy
Expert Cory Scott offers pointers for using Web application security assessment tools and developing an application security assessment strategy. Tip
-
Improving Web application security with automated attack toolkits
It may seem counterintuitive, but you can safely use automated attack toolkits to improve your Web application security. Nick Lewis explains. Answer
- See More: All on Web Application Security
About Web Application Security
Browse this section for the latest news, expert advice and learning tools on Web application security, including common threats and methods for protecting against them, Web application testing, assessment and firewalls including how to deploy a firewall.